import "pe"

rule malware_windows_moonlightmaze_u_logcleaner
{
    meta:
        description = "Rule to detect log cleaners based on utclean.c"
        reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
        reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
        author = "Kaspersky Lab"
        md5_1 = "d98796dcda1443a37b124dbdc041fe3b"
        md5_2 = "73a518f0a73ab77033121d4191172820"
    strings:
        $a1 = "Hiding complit...n"
        $a2 = "usage: %s <username> <fixthings> [hostname]"
        $a3 = "ls -la %s* ; /bin/cp  ./wtmp.tmp %s; rm  ./wtmp.tmp"
    condition:
        (uint32(0)==0x464c457f) and (any of them)
}
